If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

If logging wasn't enabled then you cannot discover that retrospectively.
Exchange doesn't log at an item level. The most that you can get is the access to the mailbox. However that can give false positives, for example accessing content that has been allowed to contacts for example.

Comment

Thank you very much Sembee.
I already see that an Administrator account logged on to all mailboxes when viewing in System Manager, but that's nothing.

Auditing most probably wasn't configured, and the way the events are displayed I won't even be near the 100% mark. I really don't want much less in this case since people would get fired. Very strange the level of details is not even close to what one would expect/desire.

Comment

Exchange doesn't provide more granular logging because of the massive number of logs it would generate. Remember Exchange is an enterprise level solution, 1000 or more users per server is not unusual and logging is set on a per server basis. If you have 1000 users and are logging at the level required to fire someone then you will be generating a lot of logs which will simply drown out anything of any use inside the logs.

I have seen logging turned right up to try and capture everything, but the clients who are doing it are using a third party event log management tool which stores the logs elsewhere, on dedicated SQL servers in most cases.

Comment

This is a small shop with 70 mailboxes and I'd only need to monitor the one from our CEO, even if not for what happened in the past, but in the near future.

You can only set things at a per server basis, even on 70 users you will generate a very high number of logs. Things are not logged once a day or when Outlook is started, the logs are very frequent, as much as every couple of minutes per mailbox.

Comment

Hopefully future 2k7, 2k10 have more granular control as far as auditing is concerned.

You are talking about those products like they aren't released.
Nothing has changed in the logging options with regards to Exchange 2007/2010.

Logging at mailbox level is simply inefficient. Furthermore, Exchange 2007/2010 is really designed for major deployments - there is a school of thought that anyone with less than 100 mailboxes shouldn't even be running their own mail server, they should be pushed out to the cloud, and certainly the feature set in the latest versions of Exchange tend to push towards that thought.

This blog posting explains how the logging can be enabled, but the key point in that post still applies "There may be times however (even more so with older Outlook clients) that other users will access other mailboxes to see details about calendar appointments or other data."